## Remote Procedure Call Daemon. ######################################## ## ## RPC stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_stub',` gen_require(` type exports_t; ') ') ####################################### ## ## The template to define a rpc domain. ## ## ## ## Domain prefix to be used. ## ## # template(`rpc_domain_template',` gen_require(` attribute rpc_domain; ') ######################################## # # Declarations # type $1_t, rpc_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) domain_use_interactive_fds($1_t) ######################################## # # Policy # auth_use_nsswitch($1_t) ') ######################################## ## ## Do not audit attempts to get ## attributes of export files. ## ## ## ## Domain to not audit. ## ## # interface(`rpc_dontaudit_getattr_exports',` gen_require(` type exports_t; ') dontaudit $1 exports_t:file getattr; ') ######################################## ## ## Read export files. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_read_exports',` gen_require(` type exports_t; ') allow $1 exports_t:file read_file_perms; ') ######################################## ## ## Write export files. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_write_exports',` gen_require(` type exports_t; ') allow $1 exports_t:file write; ') ######################################## ## ## Execute nfsd in the nfsd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`rpc_domtrans_nfsd',` gen_require(` type nfsd_t, nfsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nfsd_exec_t, nfsd_t) ') ####################################### ## ## Execute nfsd init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`rpc_initrc_domtrans_nfsd',` gen_require(` type nfsd_initrc_exec_t; ') init_labeled_script_domtrans($1, nfsd_initrc_exec_t) ') ######################################## ## ## Execute rpcd in the rpcd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`rpc_domtrans_rpcd',` gen_require(` type rpcd_t, rpcd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rpcd_exec_t, rpcd_t) ') ####################################### ## ## Execute rpcd init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`rpc_initrc_domtrans_rpcd',` gen_require(` type rpcd_initrc_exec_t; ') init_labeled_script_domtrans($1, rpcd_initrc_exec_t) ') ######################################## ## ## Read nfs exported content. ## ## ## ## Domain allowed access. ## ## ## # interface(`rpc_read_nfs_content',` gen_require(` type nfsd_ro_t, nfsd_rw_t; ') allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; ') ######################################## ## ## Create, read, write, and delete ## nfs exported read write content. ## ## ## ## Domain allowed access. ## ## ## # interface(`rpc_manage_nfs_rw_content',` gen_require(` type nfsd_rw_t; ') manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) ') ######################################## ## ## Create, read, write, and delete ## nfs exported read only content. ## ## ## ## Domain allowed access. ## ## ## # interface(`rpc_manage_nfs_ro_content',` gen_require(` type nfsd_ro_t; ') manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) ') ######################################## ## ## Read and write to nfsd tcp sockets. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_tcp_rw_nfs_sockets',` gen_require(` type nfsd_t; ') allow $1 nfsd_t:tcp_socket rw_socket_perms; ') ######################################## ## ## Read and write to nfsd udp sockets. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_udp_rw_nfs_sockets',` gen_require(` type nfsd_t; ') allow $1 nfsd_t:udp_socket rw_socket_perms; ') ######################################## ## ## Search nfs lib directories. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_search_nfs_state_data',` gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) allow $1 var_lib_nfs_t:dir search; ') ######################################## ## ## Read nfs lib files. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_read_nfs_state_data',` gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ') ######################################## ## ## Create, read, write, and delete ## nfs lib files. ## ## ## ## Domain allowed access. ## ## # interface(`rpc_manage_nfs_state_data',` gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ') ######################################## ## ## All of the rules required to ## administrate an rpc environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`rpc_admin',` gen_require(` attribute rpc_domain; type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_runtime_t, gssd_tmp_t; type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; type nfsd_t, rpcd_t; ') allow $1 rpc_domain:process { ptrace signal_perms }; ps_process_pattern($1, rpc_domain) init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t) init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t) files_list_etc($1) admin_pattern($1, { gssd_keytab_t exports_t }) files_list_var_lib($1) admin_pattern($1, var_lib_nfs_t) files_list_runtime($1) admin_pattern($1, rpcd_runtime_t) files_list_all($1) admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) files_list_tmp($1) admin_pattern($1, gssd_tmp_t) fs_search_nfsd_fs($1) ')